Nodejs mqttjs and node-red affected by TLSv1.3 broken support


Recently, as part of regular platform maintenance we did an standard upgrade for several vendor components including java engines used by frontal MQTT controllers.

That upgrade included support for TLSv1.3 along other changes. It also included deactivation for now considered insecure protocols like SHA1, TLSv1.0 and TLSv1.1 to name some.

After upgrade was completed, we did tests with our client tools, paho, openssl s_client -connect support, mosquitto_sub and curl+gnutls to ensure everything was in place.

All of them showed expected results, connecting without any issue.

Some users have been reporting connection problems since then, which were identified as very old MQTT clients with openssl engines only supporting TLSv1.0 and TLSv1.1. For these, we have decided to reenable these protocols because otherwise they will have to go plain which is in fact even less secure.

However, after these changes, nodejs mqttjs users and node-red were still having issues. After intense investigation, we were able to reproduce the problem, running traces, wireshark and tcpdump and we can confirm there is an issue at mqttjs package that causes not been able to connect with TLSv1.3 offering servers.

We can confirm that:

  • Python/Curl/GnuTls and OpenSSL, all of them are able to connect using TLSv1.0, TLSv1.1, TLSv.1.2 and TLSv1.3.

  • We are also able to connect using nodejs’s tls module using all of these protocols (using latest LTS nodejs release 20.10.0).

  • However, for some reason, mqttjs seems to have some problem with TLSv1.3 protocol because it is only able to connect to the servers/clusters that are running up until TLSv1.2. Once TLSv1.3 is disabled, negotation completes without any issue.

Running extensive tests with wireshark and tcpdump, we can confirm that low level TCP+TLSv1.3 handshake happens without any problems using nodejs tls package.

However, something blocks or causes an error that is not diagnosed to the console in any form. Just connects, exchange Client / Sever Hello TLS Spec, both matches, and then silence…until timeout happens.

For now, and assuming is best to have at least TLSv1.2 working, and knowing it is a good option, we have disabled TLSv1.3 so all applications based on nodejs’s mqttjs package can connect using TLS (that is, TLSv1.2), which includes node-red.

At some point in next months, we will review the issue to reactivate TLSv1.3 as it is the industry standard recommendation.

Update: MQTTX, MQTT-Explorer and openHAB are also affected by this issue. They should be able to connect again as expected.